AWS GetParameters
Retrieves one or more parameters from AWS Systems Manager Parameter Store, optionally decrypting SecureString values.
Discovery
Discovery
Section titled “Discovery”The adversary is trying to figure out your environment.
Discovery consists of techniques an adversary may use to gain knowledge about the system and internal network. These techniques help adversaries observe the environment and orient themselves before deciding how to act. They also allow adversaries to explore what they can control and what’s around their entry point in order to discover how it could benefit their current objective. Native operating system tools are often used toward this post-compromise information-gathering objective.
In cloud environments, adversaries enumerate resources, IAM policies, network configurations, and storage buckets to map out the environment. They use cloud provider APIs to list instances, describe security groups, enumerate roles and policies, and identify potential targets for lateral movement or data exfiltration.
View Discovery on MITRE ATT&CK →Events Related to Discovery
Section titled “Events Related to Discovery”AWS GetSecretValue
Retrieves the plaintext value of a secret stored in AWS Secrets Manager.
Azure Microsoft.AppConfiguration/configurationStores/listKeys/action
Lists the access keys for an Azure App Configuration store, exposing credentials used to read or write configuration data.
Azure Microsoft.Automation/automationAccounts/credentials/read
Reads credential assets stored in an Azure Automation account, potentially exposing sensitive authentication data.
Azure Microsoft.Batch/batchAccounts/listKeys/action
Lists the access keys for an Azure Batch account, exposing credentials used to authenticate Batch API calls.
Azure Microsoft.ContainerRegistry/registries/listCredentials/action
Lists the admin credentials for an Azure Container Registry, exposing the username and password for registry access.
Azure Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action
Retrieves the cluster-admin kubeconfig for an AKS cluster, granting full administrative access to the cluster.
Azure Microsoft.ContainerService/managedClusters/listClusterUserCredential/action
Retrieves the user-level kubeconfig for an AKS cluster.
Azure Microsoft.KeyVault/vaults/certificates/read
Reads a certificate stored in an Azure Key Vault.
Azure Microsoft.KeyVault/vaults/keys/read
Reads a cryptographic key from an Azure Key Vault.
Azure Microsoft.KeyVault/vaults/secrets/read
Reads a secret value from an Azure Key Vault.
Azure Microsoft.OperationalInsights/workspaces/sharedKeys/action
Retrieves the primary and secondary access keys for a Log Analytics workspace.
Azure Microsoft.ServiceBus/namespaces/authorizationRules/listKeys/action
Lists the access keys for an Azure Service Bus namespace authorization rule, exposing connection strings for messaging.
Azure Microsoft.Storage/storageAccounts/listKeys/action
Lists the access keys for an Azure Storage account, exposing credentials that provide full data-plane access.
Azure Microsoft.Web/sites/host/listKeys/action
Lists the host keys for an Azure App Service or Azure Functions app, exposing function-level and master access keys.
GCP SecretManagerService.AccessSecretVersion
Retrieves the plaintext value of a specific secret version from GCP Secret Manager.